printer friendly version

Biometric myth busting

One of the strangest things in the world of biometrics has to be the enormous differences of opinion about the capabilities of this technology.

Most people who work in a security-related environment have almost certainly heard of biometrics. Outside of that group, lots of people know something about the topic – ranging from the fact that the police use fingerprints, through to some form of contact with biometrics either at work, perhaps at their bank, or from stuff they have read in the media.

Perceptions about biometrics amongst both groups of people - the security community and the public – are significant. For example, if we are going to move towards using biometrics to identify people at ATMs or when they use their payment cards at the tills, then it is going to be vital that Joe Public knows what is what and what is not.

As we see biometrics increasingly used for user-authentication within IT systems, it is important that the entire community of IT users is also provided with the low-down. Even if the IT security specialists in your organisation have balanced and accurate perceptions, what happens if the C-Suite thinks that fingerprints are nothing more than trivial sci-fi?

Myth # 1: You do not have to use fingerprints. Why not iris, facial, voice, retina or palm?

This has to be one of the easiest misperceptions to get sorted. Nothing comes close to fingerprints in terms of convenience and accuracy. Not only is fingerprint technology by far the most widely used form of biometrics, it is also the most advanced and the most mature of all the biometric methodologies.

The main reason for this is that most of the money spent on developing biometric technology has been devoted to advancing fingerprint identification. Fingerprint technology also features in the broadest range of applications, from physical access control to law enforcement – which is where modern biometrics has its roots.

About 30 years ago, technology that could automate fingerprint identification for policing purposes was beginning to be developed. This is significant for two reasons. Firstly, it reinforced fingerprints as the dominant method of identification within law enforcement – criminals do not leave an imprint of their iris at the scene of a crime. Secondly, it attracted the technical and financial resources necessary to produce what are now the world’s most capable biometric systems. And because of its global importance within law enforcement, fingerprint technology will continue to attract the lion’s share of development funding and maintain its pre-eminence in the future.

Buying anything other than a fingerprint-based biometric system really just boils down to a poorly informed choice.

Myth # 2: Fingerprints can be faked – so what is the point?

This one is dangerous because it is based on an element of truth. You can certainly dupe some fingerprint technology. But you cannot dupe it all. Fake Finger Detection or FFD technology is nothing new and is an optional feature in all the leading brands of fingerprint scanners. Essentially, what it does is to establish that the print it reads is from a living finger.

There is also technology that combines fingerprint recognition with vein recognition. These scanners recognise two sets of unique patterns: the traditional pattern formed by characteristics on the surface of the finger and the pattern formed by the vein structure within the finger. Replicating that pattern is going to be a pretty bloody business and is probably as near to impossible as makes no difference.

So, if you are concerned about people attempting to dupe the technology, choose a scanner that either offers FFD or one that combines finger and vein recognition in a single unit.

Myth # 3: Fingerprints are unhygienic. How can you possibly expect us to all use the same scanner?

When you think about it, this one really is a bit silly. Most of us use ATMs on a regular basis and are not concerned about pressing multiple buttons. Enter your PIN at the supermarket cash register and you will be touching at least four keys that hundreds of people have touched before you.

We can probably file this one where it belongs – in the bin. If the hygiene issue does bother you, perhaps I could gently suggest that you carry a hanky or a pack of wet-wipes.

Myth # 4. My fingerprints are most definitely mine. Who knows what might happen if I give them to you?

Nothing. It is a blunt answer but it is the answer. Other than being used for their intended purpose – in some form of access control for example, or perhaps as proof of identity in a law-court – nothing can be done with your fingerprint data.

Advanced biometric technology (ABT) does not work with a picture of your fingerprint. When you place your print on a fingerprint scanner, it does not take a photo of your print. The technology has nothing to do with what your fingerprint actually looks like to you. Perhaps the most important thing to understand here is that your fingerprint information is stored as an algorithm – a piece of mathematical code that is just a string of numbers. The sidebar shows what information actually is being recorded by the scanner.

Myth # 5. What happens if my fingerprints somehow get stolen? How will my prints then identify me and only me?

This one sometimes gets referred to as the compromise argument. Unlike some of the other myths surrounding biometrics, on the face of it, this one sounds good and I have often heard it put forward as a showstopper – a sort of ‘get-out-of-that-one’ approach from the biometric naysayers.

Let us accept for a moment that someone might be able to steal your prints and then use them to masquerade as you. Let us not bother about how they might steal your prints or even about how they might actually use them. Let us just assume that this has happened. To address this myth, we need to get a bit more technical and look at the concept of revocable biometrics. While it might not be widely known about, the concept has been around for years even if it has been mostly restricted to biometric research and academic circles.

Perhaps the most high-profile work being done on revocable biometrics is a European Community project called TURBINE. Admittedly, it is a bit of a convoluted acronym, but TURBINE stands for TrUsted Revocable Biometric IdeNtitiEs.

To quote from the project’s website, “TURBINE technology will protect the biometric template by cryptographic transformation of the fingerprint information into a non-invertible key that allows matching by bit-to-bit comparison. To enhance user trust, this key will also be revocable, ie, a new independent key can be generated using the same fingerprint.

“TURBINE eliminates the risk that a third party breaches the privacy of a citizen by tracing back his/her identity and any of his/her personal information associated to one or more of his/her identities. In addition, in case an identity is compromised, TURBINE will allow protecting the citizen’s privacy by revoking and replacing the identity without damages to his/her biometrics data and their use for his/her other identities.”

In short, it is an approach to biometric security that safeguards the integrity of your fingerprints in the unlikely event that they somehow are stolen. For much more detail on the technical aspects visit http://www.turbine-project.eu/index.php

Myth # 6: Multispectral imaging is the way to go with fingerprint scanners

This one is dangerous. It is possibly the most dangerous of all the biometric myths right now. It is not that the technology itself is dodgy, it is the fact that it falls foul of regulatory requirements. This is clearly a serious matter and is of a magnitude way beyond the concerns that are raised in all the other myths.

The problem is a simple one. Multispectral imaging – or MSI - does not meet the internationally adopted standards for fingerprint image-quality specified by the US National Institute for Science & Technology (NIST), the Biometrics Task Force of the US Department of Defence and the FBI.

For a variety of technical reasons, governments and law enforcement agencies do not consider MSI data to be an accurate representation of a fingerprint.

This means that a court of law is unlikely to accept multi-spectral data as evidence of a person’s identity. In other words, you cannot prove that the fingerprint data belongs to a specific person. In the eyes of the law, a multi-spectral print is problematic as proof of an identity.

Let us say you go to your bank branch and they ask you to scan your print as proof of your identity – perhaps to make a large cash withdrawal. At some later point there is a fraud problem on your account and it transpires that someone has somehow copied your fingerprint and made another large withdrawal.

If the bank was using a multispectral scanner, then there is nothing more to be done because the courts will not accept the fingerprint data.

Myth # 7: Fingerprint scanners just do not work.

The question here is: which fingerprint scanners do not work? There are a few very good scanners and there are a lot of very bad scanners. But the performance of even the very best scanners is not just about the quality of the technology. Performance is also dependent on how the technology is used.

For example, the way your fingerprint data is captured in the first place will affect how the technology performs when you actually come to use it later on. Referred to as enrolment, the initial data capture needs to be handled according to some straightforward procedures. There is nothing at all complex about enrolment but it does need to be done properly because poor enrolment leads directly to poor performance. It is the old story of garbage in, garbage out.

Equally, some fingerprint technologies struggle with recognising the fingerprints of only a few hundred people while others work perfectly with many thousands. A poor experience with biometrics in the past is almost certainly down to poor technology. Once again, it is a matter of selecting the right technology. And to a certain extent, it is another old story: you pays your money and you takes your choice.

Myth # 8: Biometrics are great but they are just excessively expensive

This is all about what you want the technology to deliver in terms of sound business benefits. If your company is suffering losses from any form of identity-based fraud or unauthorised access, then it is certainly worth looking at what these problems are actually costing you over the long term.

Buddy clocking is a common form of identity-based fraud in the workplace. People share their cards, clock-on for one another and get paid for not being there. Thousands, yes thousands, of SA organisations have completely eliminated those payroll losses by replacing their card-based systems with fingerprint scanners. And the exceptional accuracy of fingerprint-based attendance data means these companies have also cut the admin time and related costs arising from payroll disputes and discrepancies when cards get forgotten, lost or damaged.

But biometric technology is not just restricted to preventing payroll fraud or controlling physical access to your premises. Link it to your IT systems and you get rid of all those passwords and PINs and all the problems and risks they cause. Fingerprint-based identification can be used to control a whole host of IT activities such as who can make EFT payments, alter invoice details or modify stock-control reports.

And the benefits of biometrics are certainly not limited to big businesses that can afford to run their workforce management systems on advanced software platforms. For example, Ideco’s ES² is a free software package that controls up to six Morpho scanners for straightforward physical access control and time management.

This one really comes down to a business decision rather than a technical one. If a stronger form of identity control would save you money, then the right biometrics can make solid commercial sense by cutting risk and cutting losses.

Myth # 9: Biometrics might be fine in an office, but they are not suitable for industrial applications

To counter this perception it is worth considering that the local mining industry is one of the largest users of biometrics.

Mining is also interesting because it is also the industry where biometrics are used across a wide range of applications. Aside from physical security and payroll management, the mining industry also uses fingerprint-based identification to control access to canteens and monitor calorie intake; to govern the implementation of health and safety policies; and even to control who can drive those immense trucks that ferry ore around the mine.

The plain fact is that in comparison to soft office environments, biometrics are far more common in tough environments such as factories, chemical plants, agriculture, ports and construction.

Myth # 10: I cannot integrate biometrics into my systems

A practical rule of thumb here is that if access to a system is currently controlled by a card, PIN or password, then these ineffectual credentials can probably be replaced with fingerprint-based identification. This sort of integration work has already been done for all of the most widely used access control and T&A platforms.

In terms of access and activity control within corporate IT systems, competent fingerprint biometrics have already been configured to work in conjunction with Microsoft’s Active Directory and Novell’s e-Directory. They have also been integrated with mainframe-based solutions, replacing passwords and PINS in software platforms such as BAS – the Basic Accounting System that is used throughout SA government departments.

It would therefore be an error to simply forego all the risk-cutting benefits of biometrics simply because you assume that fingerprint identification will not work with a particular system. Of course, it may transpire that the necessary integration work does not warrant the expense involved. On the other hand, it might be a matter of plug-and-play. But it certainly cannot do any harm to ask….

Understanding fingerprint biometrics

Advanced biometrics technology (ABT) solutions are consistently able to recognise the positions where the raised ridges on a fingerprint either split or end. These positions are called Minutia Points and are marked on the graphic by the blue symbols.

Source: Ideco Biometric Security Solutions.

It is the unique pattern formed by the minutia points that enables an ABT system to distinguish one fingerprint from all others. ABT solutions convert this pattern into an algorithmic code and then store it for later matching when a user scans their fingerprint. Unlike less advanced biometric technologies, ABTs are not dependent on capturing a photographic image of the fingerprint.

Compliant with the international benchmark standards for forensic and investigative biometrics, ABT systems underpin the digital fingerprint identification solutions that are used by law enforcement and civil identity agencies worldwide.

Share this article:

Further reading: